QTriangulator: fix a potential out of bounds access

primeForCount tries to calculate a rough base 2 logarithm of the argument,
in order to access the array of deltas between primes.

However, the usage of an arithmetic shift instead of a logical shift
could cause "high" to stay at 32 -- if the argument is INT_MAX, for instance,
the condition of the if clause in the loop is always true. The loop
would go this way:

* precond:                    low = 0 , high = 32
* i = 0  : mid = 16, if TRUE, low = 16, high = 32
* i = 1  : mid = 24, if TRUE, low = 24, high = 32
* i = 2  : mid = 28, if TRUE, low = 28, high = 32
* i = 3  : mid = 30, if TRUE, low = 30, high = 32
* i = 4  : mid = 31, if TRUE, low = 31, high = 32

and hence the subsequent access of the 33rd position of the array
(by passing index 32) is out of bounds.

Now the if at i = 4 is true because "1 << 31" is an arithmetic shift,
not a logical one, and gives - (2^31) as result. Making it a logical shift
fixes this (INT_MAX is 2^31-1, the shift gives 2^31, so the if is false).

Spotted by Coverity.

Change-Id: Ied89f4c87d603a209284e22c30f18a3e464d84fd
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
This commit is contained in:
Giuseppe D'Angelo 2014-09-20 19:40:28 +02:00
parent ae0a624e2f
commit 4adf5e1a9e

View File

@ -457,7 +457,7 @@ static inline int primeForCount(int count)
int high = 32; int high = 32;
for (int i = 0; i < 5; ++i) { for (int i = 0; i < 5; ++i) {
int mid = (high + low) / 2; int mid = (high + low) / 2;
if (count >= 1 << mid) if (uint(count) >= (1u << mid))
low = mid; low = mid;
else else
high = mid; high = mid;